cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
0
Helpful
3
Replies

static-nat taking precedent over just routed traffic

rizwanr74
Level 7
Level 7

Hi Guys,

 

I have a static nat for public-to-private as shown below on ASA 8.2 however I have users accessing this private-ip (10.0.10.245) via MPLS link.

Users have a complianing there is a traffic loss.

 

static (inside-10,outside-48) 116.19.49.52 10.0.10.245 netmask 255.255.255.255

 

When I did a packet-trace, I noticed the return traffic is taken over by static-nat.

 

 

ASA# packet-tracer input new-mpls tcp 10.32.26.185 1621 10.0.10.245 8080

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.10.0       255.255.255.0   inside-10

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group mpls_intf in interface new-mpls
access-list mpls_intf extended permit ip any any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (new-mpls) 0 0.0.0.0 0.0.0.0
nat-control
  match ip new-mpls any dmz-12 any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside-10) 2 10.0.10.0 255.225.255.0
nat-control
  match ip inside-10 10.0.10.0 255.225.255.0 new-mpls any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 5000045, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside-10,outside-48) 116.19.49.52 10.0.10.245 netmask 255.255.255.255
nat-control
  match ip inside-10 host 10.0.10.245 outside-48 any
    static translation to 116.19.49.52
    translate_hits = 1593, untranslate_hits = 765
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 72453496, packet dispatched to next module

Result:
input-interface: new-mpls
input-status: up
input-line-status: up
output-interface: inside-10
output-status: up
output-line-status: up
Action: allow

ASA#

 

 

How can avoid this routed traffic is being taken over by static-nat?

 

Thanks

Rizwan

 

3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

This NAT phase is something which you can ignore in the packet tracer output :-

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside-10,outside-48) 116.19.49.52 10.0.10.245 netmask 255.255.255.255
nat-control
  match ip inside-10 host 10.0.10.245 outside-48 any
    static translation to 116.19.49.52
    translate_hits = 1593, untranslate_hits = 765
Additional Information:

This does not mean that this Static NAT is being used for the specific traffic that you are testing and can be ignored.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

 

"This does not mean that this Static NAT is being used for the specific traffic that you are testing and can be ignored."

I am not sure about your statement above.

 

outside-48 interface of ASA is on public address.

How could it not matter, when return traffic is being natted back to the public IP as per packet-tracer, whereas users are accessing the destination address as 10.0.10.245 which is the real-ip?

I lost you here.

 

thanks

 

If I put a nat-exemption on the "interface inside-10" 

 

access-list nat0-inside-10 extended permit ip host 10.0.10.245 host 10.32.26.185
nat (inside-10) 0 nat0-inside-10

 

Or policy-static-nat would work?

 

access-list pnat permit ip host 10.0.10.245 host 10.32.26.185
static (inside,outside) 10.0.10.245 access-list pnat

 

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: